Tag: Selling Security to the Board

Secure change by changing security; how to express security value to boards so they make it part of their change strategies

Presentation by Jamie Rees from Government of New Brunswick Canada

The process they followed is outlines below, along with some thoughts for what you can do to make use of this process;

Define;

The Challenge – For them this was around multiple boards and ensuring the CISO has access to all of these

The executive office – CISO – Managed to get the CISO onto all the boards (health authorities, transport, education etc.)

For you – define your challenges in your business – not ensure board representation? Politics? Lack of budget?

Prepare;

What do we want to tell the the board?

How do we get ready to tell them?

They created roadshows, had one on one discussions, practiced a lot – eve practicing in the actual rooms they would present in, made point to appear very professional.

Also created hand outs, collaboration sites, follow on messaging, got involved in local security events to raise profile, research online and magazines – be prepared for surprise questions. They even published an actual book of their architecture.

Everything they do is now vetted through the execs, no surprises on either side. Security now has a dedicated security architecture slide on the government strategy and EA roadmap.

They formalised the relationship between the risk and the outcome – link key operational items to the outcomes the board expect, this included results of threat and risk assessments, public body (ISF) health check results, number of outstanding security exceptions

The primary message is “risk exists and it threatens your expected outcomes in this way”

Bring Solutions!

The second message needs to be “if you are uncomfortable with the potential impacts on your outcomes, we have some solutions for reducing them”

Review;

What have we learned?

Welcome the regular 5-10 minutes on the board agenda over the 1 hour irregular meetings – this helps you become one of them, and keeps your issues at the top of their minds.

If they start talking amongst themselves – don’t interrupt, let them generate their understanding organically. It is their meeting, not yours, don’t try to ‘get them back on track’

This is valid information, and in line with other discussions on this topic. The main message is that we need to understand the key issues and concerns of our board. We then must translate security issues into language they understand and then relate these back to how they will impact the key concerns of the board.

Hacking / cracking has evolved from the early days of wanting to understand and make things better through wanting personal fame / recognition to wanting personal / organisational gain (criminals) , National interests (spies) and ‘hactivism’. The threats have evolved to become a lot more serious.

Along with malicious threats, we also have to be aware of carless users, loosing laptops and other devices, sending sensitive emails to the wrong recipient etc.

In addition to threats and users, organisations also have to comply with ever increasing levels of regulation both from industry (PCI-DSS) and governments (SOX etc.).

Topping this of is the fact that IT is ever my critical to all areas of business / organisation functioning.

This threat is well recognised right up to the US presidential level with President Obama quoted as saying;

“the cyber threat to our nation is one of the most serious economic and national security challenges we face.”

Mi6 also address UK parliament on these issues.

So given the level of the threats, and the fact that IT is a regular agenda item in the boardroom you would think that the reaction from management / the board would be –

‘Get this done! Here is the budget to fix things..’

However the response is more often than not apathy or the head in the sand.

Why is this?

Are we doing something wrong as a security industry?

Hacking systems == Easy

Hacking applications == Easy

Hacking management != Easy

We often think management isn’t clever if the don’t understand the issues. This is not true, senior leadership usually intelligent and educated, and also very busy.

How do we solve this?

We must get inside their heads and understand their drivers. These are things like profit and loss, audits, reports to shareholders etc.

We like to talk about 0-days, attacks, hackers, exploits, worms etc.

When we talk like this management hear BLAH BLAH BLAH…

They think money; we are very bad at this. Do we consider on-going maintenance costs as well as the initial cost?

In order to hack a system you need to understand it!

Thought on how;

– We (IT / IT security) must get better at understanding the business. Make sure you understand your business strategy and plans.

– We must reduce the FUD (Fear Uncertainty and Doubt), the sky is not always falling – be realistic and talk in business terms.

– Focus on the benefits, e.g. if we do this and implement that we’ll reduce security incidents by XX and save £XX.

– Understand and explain the security trade-offs, you’ll never be 100% secure so understand and explain what different choices mean.

– Act professionally – talk about improving assurance rather than penetration testing – use professional language and actions.

– Speak plainly and translate terminology. Instead of there is a 0-day vulnerability on the server that could give root privileges to the attacker. Try; There is a vulnerability on the database server that manages our key financial data which could allow someone to view all of that data.

– Engage with the business, don’t hide in the basement! Present metrics and information back to the business about the benefits of our AV, DLP, proxy servers etc. – make the benefits we already provide and plan to provide much more visible.

To have secure systems and more importantly a secure organisation we all have to work together!

Thoughts about next steps from the talk;

Within 3 Months:

– Review How You Present Security Issues to Senior Management

– Focus on Cost and Benefits

Within 6 Months

– Become More Visible With Management

– Align Information Security With Business

Within 12 Months

– Get Approval for New Infosec Initiatives

– Have the Business Come to You !!

For security to become more successful, and indeed a key part of business process we need to become more professional and business minded. We must engage better with the business and speak in the language and terms that they understand and care about. These are great points and ones we as an industry really need to bear in mind if we want to become a more central part of our organisations.